If you have a PayPal account, make sure you have it sending notices of all transactions to an email account that you use regularly. Check that email regularly. And it wouldn’t hurt to check the PayPal account regularly to monitor it for fishy transactions. If you don’t, you might find yourself in a worse fix than I found myself.
Long story short: Some evil dirtbag hacked into my PayPal account. Which in itself isn’t much of a big deal. I never keep a large balance in PayPal (for good reason, it turns out). Problem is this criminal(s) set up a series of withdrawals, first directly from the PayPal account, then via an electronic check from one of the bank accounts I had set up with the PayPal account.
The work I do requires that I maintain a PayPal account to get paid for my work, so simply closing my PayPal account is not a viable option.
Having said that, I thought I had sufficient security, with an encrypted router, passwords that employ letters, numbers and symbols, and security questions. Apparently, that’s not enough.
Luckily, a series of emails alerted me to some unusual activity on my PayPal account.
After a quick look at the account activity, I knew immediately the account had been hacked and several unauthorized transactions had been initiated. I poked around the site and found “Resolution Center” in the second menu tier. Don’t let the layers stop you from pursuing the matter, especially if you know you didn’t authorize a certain transaction. Look for the yellow “Dispute a Transaction” button. The next page will present a menu of problems (“I didn’t receive an item I recently purchased” or “I did not authorize a recent transaction”). Poke around until you find the page that links you to the specific transactions, allows you to file a dispute, and then look for the phone number to call.
If the money was withdrawn directly from your PayPal account, that’s probably all you have to do. If, however, an attempt was made to withdraw funds from a third party bank account you hold via PayPal, you will need to contact your bank as well. Failure to do so could be very costly for you. DO NOT WAIT TO FI X THIS LATER.
I wasted a good portion of my morning recently chasing this down, but it potentially saved me hundreds (if not thousands) of dollars and days if not weeks of nightmarish entanglement.
To their credit, the folks at PayPal were responsive, (almost) immediately refunding a direct deduction, and responding with suggestions for further action, including establishing a more difficult password (First thing I did) and updating security questions. One rep suggested, knowing that most people use only one or two passwords for all of their accounts, that you use one password for SECURE accounts, such as bank and PayPal accounts (look for HTTPS in the URL), and an unrelated password for less secure sites – pretty much anything else is vulnerable, from email accounts to Facebook (Hack City). I guess those IT nazis insisting we change our passwords every 90 days have a valid point. Dang, that annoys the hell out of me.
These dirtbags (the hacker thieves, not the IT nazis) are extremely difficult to catch. They use multiple IP addresses and move around quickly. They could be anywhere, and often are far, far away. One of my little hacker buddies tried to withdraw funds in EUROS. There’s a clue for ya.
The lessons I learned: 1) My stuff’s not as secure as I thought, and 2) I’m lucky I didn’t procrastinate dealing with this unpleasant task.
Or I’d be S.O.L.